A new SQL malware Targets online shops running on Magento

Security experts have discovered a new SQL malware targeting online shops running on Magento that hides the code in the website’s database.

Security experts have discovered a new strain of malware that is targeted websites raising Russian the Magento eCommerce platform. The novelty is that this is the first a malware that hides the code in the website’s database is completely written in SQL.

The malware is triggered every time a user places a new order, the “SQL trigger” is then executed before the Magento platform even assembles the web page.

The researchers Willem de Groot that first analyzed the SQL malware discovered by Jeroen Boersma explained that this is a significant evolution on the threat landscape.

“The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.” reads the blog post published by Willem de Groot.

“This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis.”

The malware could be used to steal user payment card data belonging to the users of Magento eCommerce websites.

In order to discover the presence of the SQL malware, administrators have to inspect the database searching for suspicious SQL triggers such as containing admin, .js, script or < (html tags).

echo'SHOW TRIGGERS' | n98-magerun db:console

Once discovered the malicious trigger it is possible to delete it with a command like the following one:

echo"DROP TRIGGER <trigger_name>" | n98-magerun db:console

According to the expert, SQL malware attacks starts with a brute force attack on /rss/catalog/notifystock/ for an otherwise completely patched shop.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.